Fix vault file owner issues and k8s apiserver cert creation (#2985)
apiserver cert should be created only once
This commit is contained in:
parent
83d1486a67
commit
97e0de7e29
5 changed files with 12 additions and 2 deletions
|
@ -13,6 +13,8 @@
|
||||||
sync_file: "{{ item }}"
|
sync_file: "{{ item }}"
|
||||||
sync_file_dir: "{{ etcd_cert_dir }}"
|
sync_file_dir: "{{ etcd_cert_dir }}"
|
||||||
sync_file_hosts: [ "{{ inventory_hostname }}" ]
|
sync_file_hosts: [ "{{ inventory_hostname }}" ]
|
||||||
|
sync_file_owner: kube
|
||||||
|
sync_file_group: root
|
||||||
sync_file_is_cert: true
|
sync_file_is_cert: true
|
||||||
with_items: "{{ etcd_master_cert_list|d([]) }}"
|
with_items: "{{ etcd_master_cert_list|d([]) }}"
|
||||||
|
|
||||||
|
|
|
@ -44,6 +44,7 @@
|
||||||
issue_cert_file_group: "{{ kube_cert_group }}"
|
issue_cert_file_group: "{{ kube_cert_group }}"
|
||||||
issue_cert_file_owner: kube
|
issue_cert_file_owner: kube
|
||||||
issue_cert_hosts: "{{ groups['kube-master'] }}"
|
issue_cert_hosts: "{{ groups['kube-master'] }}"
|
||||||
|
issue_cert_run_once: true
|
||||||
issue_cert_ip_sans: >-
|
issue_cert_ip_sans: >-
|
||||||
[
|
[
|
||||||
{%- for host in groups['kube-master'] -%}
|
{%- for host in groups['kube-master'] -%}
|
||||||
|
|
|
@ -43,7 +43,7 @@
|
||||||
- "{{ vault_pki_mounts.etcd }}"
|
- "{{ vault_pki_mounts.etcd }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: mount
|
loop_var: mount
|
||||||
when: inventory_hostname in groups.vault and not vault_cluster_is_initialized
|
when: inventory_hostname == groups.vault|first and not vault_cluster_is_initialized
|
||||||
|
|
||||||
- include_tasks: ../shared/gen_ca.yml
|
- include_tasks: ../shared/gen_ca.yml
|
||||||
vars:
|
vars:
|
||||||
|
|
|
@ -4,6 +4,8 @@
|
||||||
sync_file: "ca.pem"
|
sync_file: "ca.pem"
|
||||||
sync_file_dir: "{{ vault_cert_dir }}"
|
sync_file_dir: "{{ vault_cert_dir }}"
|
||||||
sync_file_hosts: "{{ groups.vault }}"
|
sync_file_hosts: "{{ groups.vault }}"
|
||||||
|
sync_file_owner: vault
|
||||||
|
sync_file_group: root
|
||||||
sync_file_is_cert: true
|
sync_file_is_cert: true
|
||||||
|
|
||||||
- name: bootstrap/sync_vault_certs | Set facts for vault sync_file results
|
- name: bootstrap/sync_vault_certs | Set facts for vault sync_file results
|
||||||
|
@ -20,6 +22,8 @@
|
||||||
sync_file: "ca.pem"
|
sync_file: "ca.pem"
|
||||||
sync_file_dir: "{{ vault_cert_dir }}"
|
sync_file_dir: "{{ vault_cert_dir }}"
|
||||||
sync_file_hosts: "{{ groups['kube-master'] }}"
|
sync_file_hosts: "{{ groups['kube-master'] }}"
|
||||||
|
sync_file_owner: vault
|
||||||
|
sync_file_group: root
|
||||||
sync_file_is_cert: false
|
sync_file_is_cert: false
|
||||||
|
|
||||||
- name: bootstrap/sync_vault_certs | Set facts for vault sync_file results
|
- name: bootstrap/sync_vault_certs | Set facts for vault sync_file results
|
||||||
|
@ -36,6 +40,8 @@
|
||||||
sync_file: "api.pem"
|
sync_file: "api.pem"
|
||||||
sync_file_dir: "{{ vault_cert_dir }}"
|
sync_file_dir: "{{ vault_cert_dir }}"
|
||||||
sync_file_hosts: "{{ groups.vault }}"
|
sync_file_hosts: "{{ groups.vault }}"
|
||||||
|
sync_file_owner: vault
|
||||||
|
sync_file_group: root
|
||||||
sync_file_is_cert: true
|
sync_file_is_cert: true
|
||||||
|
|
||||||
- name: bootstrap/sync_vault_certs | Set fact if Vault's API cert is needed
|
- name: bootstrap/sync_vault_certs | Set fact if Vault's API cert is needed
|
||||||
|
|
|
@ -45,7 +45,7 @@
|
||||||
state: directory
|
state: directory
|
||||||
recurse: yes
|
recurse: yes
|
||||||
owner: "vault"
|
owner: "vault"
|
||||||
group: "vault"
|
group: "root"
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
|
||||||
- name: gen_certs_vault | install hvac
|
- name: gen_certs_vault | install hvac
|
||||||
|
@ -87,6 +87,7 @@
|
||||||
format: "{{ issue_cert_format | d('pem') }}"
|
format: "{{ issue_cert_format | d('pem') }}"
|
||||||
ip_sans: "{{ issue_cert_ip_sans | default([]) | join(',') }}"
|
ip_sans: "{{ issue_cert_ip_sans | default([]) | join(',') }}"
|
||||||
register: issue_cert_result
|
register: issue_cert_result
|
||||||
|
run_once: "{{ issue_cert_run_once | d(false) }}"
|
||||||
|
|
||||||
- name: "issue_cert | Copy {{ issue_cert_path }} cert to all hosts"
|
- name: "issue_cert | Copy {{ issue_cert_path }} cert to all hosts"
|
||||||
copy:
|
copy:
|
||||||
|
|
Loading…
Reference in a new issue